In this article, I will demonstrate how to configure a Cisco ASA for digital certificate-based authentication for remote access VPN users.
- Admin access to the Cisco ASA
- Root CA and (if applicable) any sub-CA’s for your users that will connect remotely
- Users/devices with signed certificates
- ASAv 9.17(1)7
- Active Directory Domain
- AnyConnect client
We will first start by downloading the Root CA which has been used to sign certificates associated with our remote access users and their devices. Once downloaded, we will need to upload this to the ASA. In this demonstration, we will use ASDM to upload the certificate.
Log into your ASA and navigate to Configuration > Device Management > Certificate Management and select ‘CA Certificates’. Add your Root CA and any relevant subordinate CA’s to the ASA. In this demonstration, we won’t perform any certificate revocation checks but in a live environment, I would strongly recommend that you do.
Press ‘Install Certificate’ to add your root CA.
By default, the certificate will be accepted for IPsec and SSL client connections. If you want to change this, you can edit the certificate and select the necessary options from the ‘Advanced’ tab. In this demonstration, we will leave the options that are selected as default.
Now we will focus on the ASA VPN configuration.
Note: Your configuration may differ from the lab environment demonstration.
Navigate to Remote Access VPN > Network (Client) Access > AnyConnect Client Software. You will need to upload the relevant AnyConnect client images to your ASA so that when users connect for the first time, they can download AnyConnect before connecting to the VPN. In this demonstration, I’ve just uploaded one AnyConnect package.
Now select ‘AnyConnect Connection Profile’ and in this demonstration, we will create a new connection profile, specifically for certificate-based authentication.
Once complete, navigate to AnyConnect Client Profile. This is where we will create a client profile for users connecting to the VPN using certificates.
In the first step, give the profile a name and specify the group policy to which you want this profile to be used. The group policy will be the policy that matches the connection profile that was just configured for certificate-based authentication.
Once complete, press ‘OK’.
Now click ‘Edit’ to modify the parameters of the new profile that we’ve just created.
In this demonstration, we are using a Windows machine to connect to the VPN and therefore our demonstration will focus on setting related to Windows. If you have different operating systems connecting to the VPN then you will need to ensure that the relevant settings are configured too.
In ‘Part 1’, we will modify the Certificate store to check the machine certificate store. By default ‘All’ is selected and is usually ok if you don’t want granular control on which certificate store is being used.
We will also change the setting ‘Windows VPN Establishment’ to ‘AllowRemoteUsers’. This will allow remote users to connect.
Navigate to ‘Server List’ and add the hostname/IP address of your ASA’s interface that will be used to terminate VPN connections.
Once done, make sure you save your configuration changes.
Providing that you have all your certificate requirements in check, you should be able to test now. In the example below you can see that my demo machine has successfully connected and that the authentication method is Certificates. Note that some of the configurations such as IP addresses have been omitted.
ciscoasa# show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : <Unknown> Index : 21 Assigned IP : <Omitted> Public IP : <Omitted> Protocol : AnyConnect-Parent SSL-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 Bytes Tx : 19783 Bytes Rx : 52201 Pkts Tx : 12 Pkts Rx : 448 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : Certs Tunnel Group : CertificateAuth Login Time : 13:07:21 UTC Fri Aug 19 2022 Duration : 0h:03m:20s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : c0a877020001500062ff8b09 Security Grp : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 21.1 Public IP : <Omitted> Encryption : none Hashing : none TCP Src Port : 56911 TCP Dst Port : 443 Auth Mode : Certificate Idle Time Out: 30 Minutes Idle TO Left : 26 Minutes Client OS : win Client OS Ver: 10.0.19044 Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.05042 Bytes Tx : 11574 Bytes Rx : 219 Pkts Tx : 6 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 21.2 Assigned IP : <Omitted> Public IP : <Omitted> Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384 Encapsulation: TLSv1.2 TCP Src Port : 56924 TCP Dst Port : 443 Auth Mode : Certificate Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes Client OS : Windows Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.05042 Bytes Tx : 8209 Bytes Rx : 53380 Pkts Tx : 6 Pkts Rx : 463 Pkts Tx Drop : 0 Pkts Rx Drop : 0